# Network Policies for DoD/MilSpec Compliance
# 
# Implements network segmentation per:
# - NIST SP 800-53: SC-7 (Boundary Protection)
# - NIST SP 800-171: 3.13.1 (Network Segmentation)
#
# Zero Trust network architecture with micro-segmentation

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-default
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  # Deny all traffic by default (whitelist approach)
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-allow-ingress
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: sankofa-api
  policyTypes:
  - Ingress
  - Egress
  ingress:
  # Allow ingress from ingress controller only
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    - podSelector:
        matchLabels:
          app: ingress-nginx
    ports:
    - protocol: TCP
      port: 4000
  egress:
  # Allow egress to database
  - to:
    - namespaceSelector:
        matchLabels:
          name: database
    - podSelector:
        matchLabels:
          app: postgres
    ports:
    - protocol: TCP
      port: 5432
  # Allow egress to Keycloak
  - to:
    - namespaceSelector:
        matchLabels:
          name: identity
    - podSelector:
        matchLabels:
          app: keycloak
    ports:
    - protocol: TCP
      port: 8080
  # Allow DNS
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    - podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-isolate
  namespace: database
spec:
  podSelector:
    matchLabels:
      app: postgres
  policyTypes:
  - Ingress
  - Egress
  ingress:
  # Only allow from API namespace
  - from:
    - namespaceSelector:
        matchLabels:
          name: default
      podSelector:
        matchLabels:
          app: sankofa-api
    ports:
    - protocol: TCP
      port: 5432
  egress:
  # Deny all egress (database should not initiate connections)
  - {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: classification-based-segmentation
  namespace: default
spec:
  podSelector:
    matchLabels:
      classification: classified
  policyTypes:
  - Ingress
  - Egress
  ingress:
  # Only allow from same classification level or higher
  - from:
    - podSelector:
        matchLabels:
          classification: classified
    - podSelector:
        matchLabels:
          classification: secret
    - podSelector:
        matchLabels:
          classification: top-secret
  egress:
  # Restricted egress for classified data
  - to:
    - podSelector:
        matchLabels:
          classification: classified
    - podSelector:
        matchLabels:
          classification: secret
    - podSelector:
        matchLabels:
          classification: top-secret